Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13262
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36980 invoked by uid 1010); 11 Oct 2004 22:32:39 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 36945 invoked from network); 11 Oct 2004 22:32:39 -0000
Received: from unknown (HELO xaxa.search.ch) (195.141.85.117)
  by pb1.pair.com with SMTP; 11 Oct 2004 22:32:39 -0000
Received: from localhost (localhost [127.0.0.1])
	by xaxa.search.ch (Postfix) with ESMTP
	id 98E076CFA6; Tue, 12 Oct 2004 00:32:38 +0200 (CEST)
Received: by xaxa.search.ch (Postfix, from userid 65534)
	id 5CD8C6D83C; Tue, 12 Oct 2004 00:32:37 +0200 (CEST)
Received: from [192.168.0.42] (ultrafilter-i [192.168.85.2])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by xaxa.search.ch (Postfix) with ESMTP
	id DC4686CFA6; Tue, 12 Oct 2004 00:32:36 +0200 (CEST)
Message-ID: <416B0A04.7040908@cschneid.com>
Date: Tue, 12 Oct 2004 00:32:36 +0200
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040906
X-Accept-Language: en-us, en, de-ch, de
MIME-Version: 1.0
To: Sascha Schumann <sascha@schumann.cx>
Cc: internals@lists.php.net
References: <20041011100001.94254.qmail@pb1.pair.com> <Pine.LNX.4.61.0410111934010.11564@chatserv>
In-Reply-To: <Pine.LNX.4.61.0410111934010.11564@chatserv>
X-Enigmail-Version: 0.86.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on xaxa.search.ch
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.64
X-Virus-Scanned: by AMaViS 0.3.12pre8
Subject: Re: [PHP-DEV] HTTP Response Splitting
From: cschneid@cschneid.com (Christian Schneider)

Sascha Schumann wrote:
>     response header.  There are also some SAPI modules which
>     specifically expect exactly one header per call.  As such,
>     stripping off \n.* seems correct to me.

The HTTP standard allows header field folding (CR/LF followed by at 
least one  whitespace on the next line), i.e.:
X-Some-Header: key1=value1;<CR><LF>
  key2=value2;
is the same as
X-Some-Header: key1=value1; key2=value2;
and that's why my patch just replaces the CRs/LFs to spaces to unfold 
the lines again. This won't break folded lines but will still defang 
malicious header splitting.

- Chris